Yahoo Inc.’s recent announcement that a billion subscriber accounts were hacked in 2013 is just the latest cybersecurity woe for the Silicon Valley web giant.
In August, the company announced that 500 million user accounts had been compromised in a 2014 hack, triggering regulatory backlash in Washington, complicating its proposed sale of core assets to Verizon, and setting off a series of suits by plaintiffs’ firms.
What follows is an update of our September report on Yahoo’s data security issues. Because data security is top-of-mind for many in-house lawyers and because the Yahoo breaches provide a stark example of the stakes involved, we’ve continued gathering threads about the attacks and their fallout from various news and legal sources. Here’s what we know.
The company announced on Dec. 14 that a billion accounts had been hacked in 2013 and that it learned of the hack after law enforcement provided it samples of data from a “a third party.”
“The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” Yahoo said in a release. “Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft.”
Yahoo said it believes this incident is distinct from the incident the company disclosed on September 22. In that breach, the company said its systems had been breached in late 2014 by an unnamed state-sponsored actor and 500 million users had been affected.
It’s not yet clear how many of the accounts in the two breaches overlap. Yahoo has more than a billion monthly users, many with multiple accounts.
The Stolen Data
Hackers gained access to names, email addresses, phone numbers, birthdates and security questions and answers. Yahoo has said that it does not believe customers’ financial information was taken.
But, according to a report by CIO Today, a trade publication for IT professionals, stole passwords in both attacks. “Technically, those passwords should be secure; Yahoo said they were scrambled by a cryptographic technique called hashing,” according to CIO. “But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases. That could mean trouble for any users who reused their Yahoo password for other online accounts.”
The New York Times reported on Dec. 15 that Yahoo user data had been offered for sale on the dark web by “a geographically dispersed hacking collective based in Eastern Europe.” The Times, quoting a cybersecurity firm that tracks dark web activities, said that “three buyers — two known spammers and an entity that appeared more interested in espionage — paid about $300,000 each for a complete copy of the database.”
Response to the Crisis
Yahoo continues to take heat for its response to the breaches. The company has been attacked for failing to detect the breaches when they occurred for get in front of the problem and for taking years to inform users, business partners and regulators.
Network World, a publication for networking and IT executives, said the breaches are “an object lesson for businesses and other entities that might someday have to explain a breach – get out in front of the problem and be open with facts about how it happened and what’s being done to fix it. Also – and this is difficult to specify – they should employ detection platforms that expose such breaches more quickly.”
Writing for Newsweek, Oren J. Falkowitz, the CEO of Area 1 Security and former official at U.S. Cyber Command and the National Security Agency, laid out several questions that executives (including general counsel) should be asking about their cyber security policies.
“Are there preemptive measures everywhere you turn,” Falkowitz asked. “Have your IT people made all the patches that need to be made? Have you purged obsolete applications full of vulnerabilities you’ve got lying around? That’s like keeping a pile of oily rags in a corner. Have you upgraded your cybersecurity software and tested it to make sure it’s working? If the answer to any of those questions is, “Well, no, not really,” you shouldn’t be surprised when your organization ends up in news for all the wrong reasons.”
As we reported in September, a recent survey of general counsel by the Consero Group, showed that 40 percent of GCs had dealt with a data breach in the last 12 months. They listed it as one of their two top risk concerns. Only 38 percent of GCs, however, had a crisis management plan in place for dealing with a data privacy issues. (The Consero report can be downloaded here.)
In his Newsweek article, Falkowitz said that companies have been lured into the false assumption that because breaches are ubiquitous and inevitable. “Part of the lack of preparation is fatalism. We see breaches everywhere and assume we’re not immune. Businesses can hardly be faulted for not investing more in cybersecurity if they think breaches are simply inevitable. That brings us back to why we need preemption. If we are going to exist online, and it looks like that’s the plan for the foreseeable future, then we better change what we consider to be acceptable in cybersecurity.
Deal and Suits
The continuing questions about Yahoo’s online security are throwing a wrench into its negotiations to sell its core business to Verizon. Verizon has said that it is still reviewing its options, but some believe the $4.8 billion deal could be in deep trouble. Verizon, The San Jose Mercury News reported, “needs strong trust from consumers, and the firm may torpedo the Yahoo deal to avoid being tarred with the same brush as the floundering tech firm.” Joel Espelien, a senior analyst with The Diffusion Group, told the Mercury-News. “It wouldn’t shock me if Verizon backed away just because they don’t want the guilt by association.”
Meanwhile the suits are piling up. More than 20 class actions have been filed over the 2014 breach, according to the Mercury News, and within hours of the company’s announcement of the 2013 breach, a new class action had been filed in U.S. District Court for the Northern District of California.
On the legal front, Yahoo has caught one break. It will fight a major piece of the battle in its home court and before a judge known for her tech savvy. On Dec. 8, the U.S. Judicial Panel on Multidistrict Litigation consolidated five of the class actions in the Northern District – Silicon Valley’s federal court. The panel assigned U.S. District Judge Lucy Koh to the litigation, In re Yahoo Customer Data Sec. Breach Litigation.
According to Bloomberg BNA, “Koh has been viewed as a Silicon Valley stalwart, who has been able to navigate some of the trickier tech sector cases. Getting the case in front of such an experienced and tech-savvy judge is an important development. Koh has handled large-scale litigation involving most of Silicon Valley’s well known tech Goliaths, including Alphabet Inc.’s Google, LinkedIn Corp. and Facebook Inc.”